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Connecting the dots... 

• Continued proliferation of computer 
systems throughout governments , businesses 
and civic organizations 

- Majority are commercial hardware/ software 

• Public awareness of vulnerabilities and 
basic INFOSEC practices is growing but 
still in its infancy 

• IT development is driven by the consumer 
market 

- Insufficient penetration resistance 

- Insufficient application of secure engineering 

- Little or no incentive to make security a 
priority in design/development 
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Reveals the Problem 

• Commercial Computing Products == Security 
Flaws 

• Flaws == owned systems 

• Traditional IT Security Measures Are No 
Longer Adequate to Protect Our Systems 

• New strategy "Agile Defense" != "new" 

- Compartmentalization/segregation of assets 

- Targeted allocation of security controls 

- Limiting of privileges 

- Routine reconstruction to a known secure state 
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Favored Attack Vectors 

•For the past three years , sophisticated 
attacks consistently use one of three 
attack vectors: email, removable media, 
and compromised websites 
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Malicious e-mails targeted 
at specific employees 



Malware delivered via 
USB removable media 



Malware planted on 
websites 
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Anatomy of a Targeted Email Attack 



Command & Control Established! 

T5i 




Data Exfiltration 
Begins 



Mail Server 
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If That Wasn't Bad Enough...Man-in-the-Mailbox 




Stage 1 - Existing Customer/Supplier Relationship 



Subject: RFI - New Component Needed 



Subject: RE: RFI - New Component Needed 
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Supplier 



Stage 2 - Attackers Compromise Supplier 




Stage 3 - Attackers Exploit Trust, Reply To Messages With Malware 




Supplier 



Stage 4 - Attackers Compromise Customer 
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Targeting Websites 

• Advanced threats target industry websites 
and portals 

- Compromise " Water holes" 

- Send links to spoofed websites to collect 
credentials/data 

- Send links to web pages hosting malware 

• Same approach used in email attacks 

- Command & Control 

- Exfiltration Capability 



©2010 Lockheed Martin Corporation 



USB Malware 

• The propagation of malware is truly viral 

- Users infect every computer they use 

- Users travel and infect computers across the 
country 

- Users move to different air-gapped networks and 
infect those computers, too (this would be a great 
way to compromise an air-gapped classified 
environment, for example) 
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Advanced USB Malware 



Stage 1 - Install Malware 



Attacker takes control of asset 



Installs Malware "Controller" APT 



Stage 2 - Infect Removable Media 
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Clean removable 
media inserted 



"Collector" 
malware -> USB 



Stage 3 - Collect Files 




Infected USB infects 
new host 



Gathers & 
encrypts files 



USB returns, accumulated 
files xferred to USB (hidden) 



Stage 4 - Return To Controller & Exfiltrate 
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USB returns to "Controller" with 
hidden files 



File xferred from USB to 
"controller" 



Motivation 

•Presentation virtualization success 

•Enhanced security 

•Reduced costs 

•Consistent performance and 
reliability 
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The Journey 
•2006 

- Analysis of viability of levering 
previous success 

- Challenges 

•2007 

- 1 st Generation product releases - not 
good 

•2008 

- 2 nd generation products released - not 
good but workable 

•2009 

- Selected a hybrid approach to pilot 
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The Configuration 
•Hypervisor 

- VMware ESX V3.5.0 hypervisor 

- HP DL585 G5 

• 4 quad core AMD Opteron procs, 128GB RAM, 
600GB local and NFS attached storage 

•Virtual Desktop Management 

- OS Streaming 

• Citrix XenDesktop v3 . Provisioning Server 

• HP DL385 G5 (Win 2K3 R2 , 2 quad core AMD 
Opteron procs, 8GB RAM, 205GB local and 
iSCSI attached storage) 
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The Configuration 



(cont) 



•Virtual Desktop Management 

- Desktop Delivery Control 

• Citrix XenDesktop v3 . Desktop Delivery 
Controller 

• Virtual Machine (Win 2K3 R2 , 2 virtual CPUs, 
2GB RAM, 12GB local and iSCSI attached 
storage) 

- Protocols 

• Citrix ICA, Wyse TCX 

•App Virtualization - VMware ThinApp 
•Thin Client - Wyse vlOL 
•Storage - two NetApp FAS2050s 
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How It Works 



USER CONNECTION PROCESSES/SERVICES 



Wyse client checks a preconfigured FTP 
1 ( directory for firmware updates and 
current configuration 



IMAGE STREAMING PROCESSES/SERVICES 



Wyse VIOL 



The configuration dictates 
which CDDCs should be 
contacted for authentication 





NetApp 



PVS servers mount the vDisk repository via iSCSI 
The iSCSI LUN is formatted and managed by 

Melio Sanbolic. This is a cluster file system which 
allows multiple hosts to share the iSCSI LUN 



Y^y The user's 

^A credentials are 

sent encrypted to 

the CDDC for 

authentication and 

authorization 

Authentication 
approval/failure 

and authorized 

connections are 

returned 



LDAP 
query to 

Active 
Directory 





Stream is delivered 
via directed UDP. 



VM boots and 

receives DHCP 

address with options 

60/61 (server and 
path to Pxe boot file) 



VM connects 

to streaming service 

MAC address used to 

determine assigned disk 

Disk is streamed or VM 

directed to another PVS 

server for service (load 

balancing) 



A client side agent resolves 
retransmission issues 



Citrix Desktop Delivery 
Controllers 



IMA LHC 



Non-dynamic farm 
information is stored in 
SQL database. Critical 
elements of this DB are 
synchronized with local 
host cache on CDDC 
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DB 

SQL database 



PROCESSES/SERVICES INTERNAL TO USER SESSIONS 
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Register authorized 
applications 




NetApp 
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What We've Learned So Far 



Protocol is critical to user 



•Multimedia and USB redirection 
must have 

•Running separate (non-pooled) 
images is cost prohibitive 

•Use of single image requires 
application virtualization 
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What We've Learned So Far (cont) 

•Application virtualization 
integration issues 

•The "disconnected" mobile user 

•Data center impacts 
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What's Next? 



•VMware View 4/Citrix Xendesktop 4 



• PC-over- IP implementation 

•Type I hypervisor for mobile user 

•App virtualization production 
implementation 

•Remote Desktop Services for 
Windows 2008 R2 
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Questions? 
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